jeff miller tamra pawloski. 2014 it procurement summit headline news…
TRANSCRIPT
Jeff Miller Tamra Pawloski
2014 IT Procurement Summit headline news…
Cybersecurity is evolving and dynamic
Program elements• Policy – program framework
• Prevention - anticipate risks & safeguards assets
• Detection - test & attempt to penetrate your own fortress
• Communication – awareness and understanding of risk & benefits
• Collaborate, adapt, and innovate with time…
Cybersecurity Maturity Path It’s a Journey…
Opposing risk & benefit objectives• Emerging technologies / outsourcing
• Increased threats & attacks
Tactical reactive silos to risk practice• Information technology / sourcing / legal
• Collaborative team work
• Risk Management - human Capital
• Global scope & process integration
Risk Management Human Capital (beyond policies)
Vendor Risk Management (IT) Vendor Risk Committee (IT, Legal, Sourcing
and Business Continuity Certified Specialists• Information Systems Professional (CISSP)
• Information Privacy Professional (CIPP)
• Risk & Information Systems Control (CRISC) Chief Security Officer (IT) Chief Privacy Officer (Legal)
Emerging need for Cyber Risk skills are growing…
Traditional Skills• Spend Analytics
• Evaluations
• RFX’s
• Negotiations
• Term’s & Condition’s
• SOW & SLA
• Asset & Vendor Management
Taming the Maintenance Monster
Additional Skills• Risk Management
• Technology and data security assessments
• Outsourcing Specialist
• Office of Foreign Assets (OFAC) Monitoring
• Data Privacy
• Business Continuity
“Defense in Depth”Internal Systems and Solutions
Various Supplier Relationship Models Containing Data
• Applications Services Providers (ASP’s)
• Software-As-A-Service (SaaS)
• Business Process Outsourcing (BPO’s)
• Benefit contractors (health insurance, 401k, ...)
• Treasury contractors (banks, transfer agents, …)
• Third-Party Administrators (TPA’s)
• Global IT Outsourcers
• Programing outsourcers
• Program managers
“Defense in Depth” External Service Providers
Cybersecurity - Collaborative Effort
Technology• Platform compliance, system & access controls,
vulnerability testing, and system monitoring Vendor Risk Management• Performs “assessments” / recommends options
Legal• Regulatory, privacy and confidentiality T&C’s
Strategic Sourcing• Sourcing compliance, and negoitations.
Supplier & Business Assessment “Risk Profile”
Data Protection Agreements and Provisions
If possible part of RFX process along with your standard agreement template
Holds supplier accountable to safeguard your data
Contains requirements which are more than what is required by law
Part of our Sourcing Cyber Security process
Data Protection Agreements Contents
Data Restriction (what supplier can and cannot do with our data)
Complies with federal, state, provincial and local laws and regulations
Physical Security Controls Location (alarm systems, visitor access, security guards,
fire & water HVAC, video surveillance, etc.) Trash disposal program Security and environmental controls over all computer
rooms and equipment used to process, file, store, or transmit data.
Data Protection Agreements Contents (continued)
Data Security Controls• Logical access controls
• User sign on identification and authentication
• Password protection of system applications, data files, databases, repositories, and libraries
• Accountability tracking
• Anti-virus software
• Secured printers
• Restricted ability to download to disk / devices
• No logically shared environments with others…
Data Protection Agreements Contents (continued)
Supplier Representatives• Background checks once a year
• Citizenship check & Social Security check
• OFAC Specially Designated National check
• Criminal felony and misdemeanor check
• Education / prior employment check
• Credit / financial check
• Must attend confidentiality and security awareness training (including monitoring)
• Must advise of any international handling
Data Protection Agreements Contents (continued)
Audits and Inspections permitted Security Administration :access records Access : no shared ID’s, need to know
job function basis Supplier System Security (adequate
network protection, logically secured…) Operation Procedures (security patches
and escalation procedures)
Data Protection Agreements Contents (continued)
Encryption (any exchange of data across Internet or removable media)
Network Security (detection / prevention sensors & firewalls / vulnerability tests)
Web Application Security (same above) Breach Notification (procedures, escalation,
investigations & liabilities) Call Recording and Monitoring (secured
consent, and access to recordings) More…?
Data Protection AgreementsTypes
IT Vendor Risk Management completes “Risk Profile” & determines agreement
Earlier in the process, more success! Various types• Long standalone - comprehensive
• Short form – limited or no risk
• Custom Cyber Insurance where & when required Part of our standard sourcing process
Data Protection Agreement Process
Taming the Maintenance Monster
Master Services Agreement•Terms & Conditions•Statement of Work•Data Protection•Service Level Agreement
Data Protection Agreement•Long form - comprehensive•Custom•Short form – limited risk
Data Protection Agreement Process – Who?
Strategic SourcingLegal
Vendor RiskManagement & IT
Vendor RiskManagement &Strategic Sourcing
Legal & Vendor RiskManagement &Strategic Sourcing
Strategic SourcingLegal & IT
Summary
Threats are on the rise – be vigilant! Technology expands and cyber risk
mitigation is a journey… Risk management skills will become
critical for everyone! Hold your suppliers accountable when
handling your data and information! Make cyber security part of your standard
process!
Questions?
Thank you…